okta: allow user configuration of debug_data flattened use #9868
Conversation
efd6
added
enhancement
|
This change does not currently pass. So add one of these to fix this… diff --git a/packages/okta/data_stream/system/fields/fields.yml b/packages/okta/data_stream/system/fields/fields.yml
index b0f51b1b0..c314f671c 100644
--- a/packages/okta/data_stream/system/fields/fields.yml
+++ b/packages/okta/data_stream/system/fields/fields.yml
@@ -273,3 +273,5 @@
fields:
- name: ip_chain
type: flattened
+- name: okta.debug_context.debug_data.behaviors.new_city
+ type: keyword
\ No newline at end of file
diff --git a/packages/okta/docs/README.md b/packages/okta/docs/README.md
index 00f10e7ea..9762a1b64 100644
--- a/packages/okta/docs/README.md
+++ b/packages/okta/docs/README.md
@@ -304,6 +304,7 @@ An example event for `system` looks as following:
| okta.client.zone | The zone information of the client. | keyword |
| okta.debug_context.debug_data | | object |
| okta.debug_context.debug_data.authn_request_id | The authorization request ID. | keyword |
+| okta.debug_context.debug_data.behaviors.new_city | | keyword |
| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword |
| okta.debug_context.debug_data.dt_hash | The device token hash | keyword |
| okta.debug_context.debug_data.factor | The factor used for authentication. | keyword |This however causes a mapping failure: A minimal version of this is here: |
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml
Outdated
Show resolved
Hide resolved
packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml
Outdated
Show resolved
Hide resolved
packages/okta/data_stream/system/elasticsearch/ingest_pipeline/no_use_flattened_debug.yml
Outdated
Show resolved
Hide resolved
|
I was testing the upgrade process going from 2.9.0 to 2.10.0 (751ce10) where I already had some data indexed, and the upgrade (using 8.13.4) fails with
@zmoog @ruflin Is this the expected behavior? Can we adopt The subobjects documentation says
but shouldn't Fleet be doing a rollover? |
packages/okta/manifest.yml
Outdated
| @@ -138,6 +138,13 @@ policy_templates: | |||
| multi: false | |||
| required: false | |||
| show_user: true | |||
| - name: remove_flattened_debug | |||
There was a problem hiding this comment.
remove_flattened_debug is declared in two places. I think one of them needs to be removed.
Relates: elastic/package-spec#421
|
Yes, Fleet should do a rollover. @flash1293 mentioned this issue during our sync, a couple of days ago. We are looking into this. |
|
Sorry for this hurdle, the fleet team is already working on it here: elastic/kibana#183496 |
|
@flash1293 Now that 8.14 is out, could we avoid the problem of elastic/kibana#183496 if we switched this data stream over to using data |
|
|
@andrewkroh I don't think this changes anything - in fact the custom integration case is also using subobjects:false on the datastream level. |
|
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
|
8.15.0 is out now so this should be unblocked by the earlier bug elastic/kibana#183496. |
Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. go run github.com/andrewkroh/go-examples/[email protected] -ecs-version=8.11.0 [email protected] -drop-import-mappings -kibana-version=^8.13.0 -fields-yml-drop-ecs packages/okta
💚 Build Succeeded
History
cc @efd6 |
|
|
Package okta - 2.12.0 containing this change is available at https://epr.elastic.co/search?package=okta |
Status: Blocked by elastic/kibana#183496 which will require v8.15.0.Proposed commit message
See title.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots